Opening VPN access
-
Looks like that should be all that's necessary there. Are there firewall rules on WAN passing the same traffic to 172.30.0.132? Is the traffic arriving at your Fortigate?
-
We have indeed firewall rule on WAN passing the same traffic to 172.30.0.132. (see screenshot - I'll attach a second screenshot in my next reply).
 -
And the remaining rules in this second screenshot. We also see traffic arriving at the Fortigate 200, (I believe this is the initial handshake of the communication) and then the connection gets drop before it is completely established.
 -
NAT Traversal should be all you need. I don't think you can port-forward ESP itself.
Is the traffic arriving on the fortigate?
-
Yes. Traffic is arriving at the fortigate. In the logs we see the initial communication being setup, but then the connection attempt gets dropped, and I'm assuming that's because there is still something that is blocked.
When I try to establish a vpn connection to the fortigate 200 directly via the local network, it works. So I'm sure the fortigate is working.
-
Therefore it has to be pfSense at fault.
-
I agree. But how can I troubleshoot what's wrong ?
-
Most likely problem: The Fortigate is sending it's local IP address as it's identifier and the device at the other end is expecting the pfSense WAN IP.
Check the expected identifier at the other end. Change the Fortigate to send the public IP if that's what is needed to match.
Or you could just use pfSense to setup the tunnel directly. ;)
Steve
-
According to Fortigate that is likely the cause of the problem. Could you send me the instructions on how to change the configuration to send down the local identifier to the device ? Thanks.
-
That's something you would need to configure in the Fortigate. I can't help you with that.
Is there a reason you're not just terminating the VPN in pfSense directly? I could help you with that. ;)
Steve
